In the current Symantec Encryption Management Server environment, users with Administrator Roles can access the server. To prevent any unauthorized access to your server, Symantec Encryption Management Server offers the passphrase security feature to secure administrative accounts from brute-force attacks or dictionary attacks.
Users with SuperUser role can now set passphrase security requirements and enforce them on administrators. To set the passphrase security requirements, SuperUsers can modify the configuration preference file, prefs.xml, and apply it on Symantec Encryption Management Server administrators. The passphrase security requirements are enforced when administrators create or reset their passphrase.
Symantec Encryption Management Server offers the following passphrase security requirements for administrator accounts:
Passphrase Complexity—Helps to create strong passphrases.
Passphrase History—Prevents reuse of old passphrases.
Passphrase Aging—Expires passphrases periodically and enforces administrators to create new passphrases.
Passphrase Reset—Enforces to create a new passphrase when a temporary passphrase is set or a passphrase expires.
Account lockout—Disables an administrator account after a specified number of consecutive failed login attempts.
Implementing these passphrase security requirements protect Symantec Encryption Management Server administrative accounts and reduce the likelihood of a successful brute-force attack.
The following topic includes sections that provide information on configuration and implementation passphrase security requirements, and default values for each passphrase security setting. Also, information on security considerations, including possible vulnerabilities and potential impact of each setting, and countermeasures that you can take is also included in the sections.
For more information, see the Understanding and Configuring Administrator Passphrase Security Requirements (on page 340) topic of the Symantec Management Server 10.5 Admin Guide.
Configuring Passphrase Security Requirement for Administrator Accounts
As a SuperUser, you must configure the passphrase security requirements to add protection to the administrator accounts. Perform the following procedure and configure the passphrase security requirements in the configuration preference file, prefs.xml, available at the location /etc/ovid/.
To configure passphrase security requirements for administrator accounts:
1. Open the /etc/ovid/prefs.xml file in the edit mode.
2. To configure the Passphrase Age requirements, do the following:
To enable the Passphrase Age requirement, set the enable-password-aging attribute to true.
To configure the Minimum Passphrase Age value, set the password-min-age attribute to any value from 0 through 60.
To configure the Maximum Passphrase Age value, set the password-max-age attribute to any value from 0 through 60.
To configure the Passphrase Expiration Warning Period value, set the advance-warning-period attribute to any value from 0 through 60.
3. To configure the Passphrase History requirements, do the following:
To enable the Passphrase History requirement, set the enable-password-history attribute to true.
To configure the maximum number of passphrases that you want to store in the passphrase history, set the number-of-passwords-to-remember attribute to any value from 0 through 30.
4. To configure the Passphrase Complexity requirements, do the following:
To enable the Passphrase Complexity requirement, set the enable-complex-password attribute to true.
To configure the minimum number of characters that a passphrase must contain, set the password-min-length attribute to any value from 8 through 128.
5. Save the /etc/ovid/prefs.xml file.
6. (Optional) In a server cluster setup, run the following command on the current node to replicate the new settings on the other cluster members: # pgprepctl file /etc/ovid/prefs.xml
Note: Ensure to run this command after each modification to the prefs.xml file.